Proposed new data protection rules have been announced which will affect EU companies
WHEN EU JUSTICE Commissioner Viviane Reding announced a comprehensive reform of Europe’s data protection legislation on January 25th, in the form of a proposed new regulation, more than just Europeans were watching closely. For months, rumours had circulated about what might go into the proposal. Europe has long had stronger data protection laws than the rest of the world, restricting how its citizens’ data are used by businesses and organisations. Any changes to toughen them further could have major repercussions for multinational businesses as well as other governments, and international policing efforts.
Social media and technology companies, in particular, had been on edge. By the very nature of their operations, they handle large amounts of digital data. And the personal information placed online by users of social media services is critical to those companies’ business plans – all that information is considered very valuable by advertisers.
So lobbying, by businesses and governments, was heavy. “The lobbying has been fierce, mainly for us to postpone or scrap any such legislation,” Reding told journalists last week in Brussels. “But I said it would be on the table on January 25th, and because I wanted to have it, it was on the table on January 25th. So much for the efficacy of lobbying,” she said with a grin. What she proposed were major changes that would affect businesses and citizens, and which she said will become “the gold standard” for global privacy.
Why would we replace the existing 1995 directive? Because it is old and creaky and was put in place before there was such a thing as a widescale public internet, much less a world of apps, social media, portable storage devices that can hold the contents of a hard drive, and the other features of our digital age. “We’re not overhauling the principles, but modernising for how people use the internet today,” Reding said.
The 1995 directive is now also seen to have given too much flexibility to individual states, leading to 27 different data protection regimes (or, as was noted, actually 26 plus 16 further regimes because each German state has its own). This is confusing for citizens but also for business, which carries an additional €2.3 billion cost burden annually due to the administrative and management costs of complying with all of these data protection environments, according to impact studies cited by the commission. And privacy advocates have long complained that existing data protection offices across Europe vary enormously in capability. Some, such as the Belgian office, are not even able to apply sanctions for data or privacy breaches.
The new proposal allows for heavy fines – up to €1 million or 2 per cent of global annual revenue – for data breaches.
The old directive will be replaced by a regulation, which must be implemented in its entirety, and consistently, across all member states – removing any risk of uneven application across member states.
Each country will now have a Data Protection Authority following this single set of rules. There will be a board comprising the data protection commissioners from each state (replacing the current Article 29 Working Party, which has no real power), to which citizens or organisations can appeal if they disagree with the findings of an individual authority. On top of that, an appeal can be made to the courts.
The goal was to achieve a balance between the needs of businesses and adequate protections for consumers, Reding said. She is unflinching in seeing data protection and commerce as going hand-in-hand. If citizens are not confident that their data is adequately protected, they won’t use online services.
She noted that Europe has “a very low figure on cross-border e-commerce – only 6 per cent buy cross-border because they have no confidence ”.
A big part of the problem, she says, is that users are poorly informed about what data is being taken when they use a particular service, how it will be used and how long it is stored for, with most consent forms – when they exist at all – written in legalese that means people still don’t know what they have signed up to.
“The worst that could happen would be for the distrust of citizens” to prevent them from using services. Guarantee that their data is safe, and they will venture online, she says.
In the wake of the announcement in January, some businesses expressed concern about the additional cost they would encounter in complying with new data protection rules. But Reding counters that costs will be significantly lowered for small to medium sized business (SMEs), and notes that they will also be exempt from some of the requirements imposed on multinationals, such as having a designated data protection officer. A central goal of the regulations is to encourage internal market trade for SMEs, she said.
Social media companies are perhaps the most adversely affected, as they are most directly impacted by stipulations that organisations go to greater lengths to get explicit consent to use data, provide “data portability” to let users move between services, and comply with a new “right to be forgotten”, requiring data be deleted on request by users.
While some multinationals have said they were not entirely happy with the proposed regulations, Microsoft and Cisco have said they generally welcome data protection harmonisation across Europe and that the new rules will save costs and ease operations.
For Cisco, currently, “it’s prohibitively costly to get right in every European country”. A single regime would be welcomed, said Chris Dedicoat, Cisco president, Europe, Middle East, Africa and Russia.
Kostas Rossoglou of the senior legal office for the European Consumers’ Organisation, welcomed the proposals, noting that a big problem for consumers was that companies had no obligation to obtain specific consent from users of their services. “If I am not aware I have a right, if I am not aware that my data is being collected all the time, I am not going to complain,” he said.
Joe McNamee, advocacy coordinator for privacy advocate umbrella group European Digital Rights, said that while he had some reservations about the proposals, “the broad thrust of what the commission is trying to do is solid”.
But the proposals still have a way to go before becoming law. They must be approved by the European Parliament, a process that Reding hopes will happen by the summer of 2013. Sceptics note the parliamentary process is slow, parts of the proposals are controversial, and it may take until the current Parliament ends its term in 2014 before new regulation on data protection comes into force.
DATA PROTECTION: WHAT'S PROPOSED?
A single set of rules will apply across the EU
Less paperwork for companies, as “unnecessary” administrative requirements will go
Organisations and citizens will deal with a single data protection authority in the EU country where organisations have their main base
Organisations must notify their data protection authority and affected citizens of data breaches within 24 hours
Data breaches, or repeated failure to comply with the law, can draw fines of up to €1 million or 2 per cent of annual global revenue
EU rules must apply abroad when companies with an EU base handle EU citizen data abroad
Citizens have the right of “data portability”, to move data from one online service to another
Citizens have the “right to be forgotten” – online services must permanently remove data a person has uploaded, on request
NEW LAW: WHAT IT MEANS FOR US
A KEY ISSUE for Ireland in the new proposed regulations is that organisations will deal with a single national data protection authority in the EU country where they have their main base.
For a state like Ireland – the base for many multinational companies in the technology and internet sectors likely to be especially affected by these new rules – that means a greater burden of administration and investigation is likely to be placed on the Irish data protection authority.
The Irish Times asked EU Justice Commissioner Viviane Reding about the Irish situation.
“It will be a more complicated question for those data protection offices in countries where there may be more problems – where companies have chosen those countries to have their legal content,” she said.
However, in the case of a burdensome investigation, data protection authorities might work together.
For example, the recent investigation following a formal complaint from an Austrian student about Facebook, handled by the Irish Data Protection Commissioner’s office, might in future be handled by both the Austrian and Irish authorities working together.
But, Reding noted, there will only be a single set of rules that will be applied across all states.
“So it may be that [a company’s] interest in going to one country rather than another may be less, because there will be one law.”
On the other hand, Françoise Le Bail, the European Commission’s director general, DG Justice, said that one jurisdiction might be seen as preferable to another if the authority’s decisions are seen as unsatisfactory by either citizens or companies, and are constantly referred on for further arbitration to the proposed Data Protection Authority board.
“That could be the case,” she said. “Of course, it’s really good to have a data protection authority which sorts things out.”
